Traceback - Hack The Box

Traceback was an easy box where you had to look for an existing webshell on the box, then use it to get the initial foothold. Then there was some typical sudo stuff with a LUA interpreter giving us access as another user then for privesc we find that we can write to /etc/update-motd.d and those scripts get executed by root.

Summary

  • Find a hint in the HTML comments of the mainpage about popular webshells
  • Find hidden webshell by trying out popular webshells found by googling the HTML comments hint
  • Get a reverse shell as user webadmin, and use LUA interpreter to get a shell as sysadmin
  • Watching running process with pspy, find motd update process running as root
  • Edit and log in by SSH again to trigger the script

Portscan

root@kali:~/htb/traceback# nmap -T4 -sC -sV -p- 10.10.10.181
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-15 15:48 EDT
Nmap scan report for traceback.htb (10.10.10.181)
Host is up (0.018s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
|   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Finding the webshell

As we can see, the website has been defaced by some elite hacker named Xh4H.

The HTML source code reveals a hint:

<body>
	<center>
		<h1>This site has been owned</h1>
		<h2>I have left a backdoor for all the net. FREE INTERNETZZZ</h2>
		<h3> - Xh4H - </h3>
		<!--Some of the best web shells that you might need ;)-->
	</center>
</body>

Googling Some of the best web shells that you might need, I end up on https://github.com/TheBinitGhimire/Web-Shells.

I tried each webshell filename on the box and got a hit on http://10.10.10.181/smevk.php

The creds are admin / admin.

To get a shell, I simply use a common payload with the Execute function on the webshell:

Privesc from webadmin to sysadmin

First, I’ll add my SSH key to the webadmin’s authorized_keys file so I can log in with a proper SSH shell.

Looking at my home directory, I see a program called luvit owned by sysadmin and a privesc.lua file that writes an SSH key to the sysadmin folder

The note.txt file says:

webadmin@traceback:~$ cat note.txt 
- sysadmin -
I have left this tool to practice Lua. Contact me if you have any question.

So it’s pretty clear we need to use the LUA interpreter to escalate to sysadmin.

We can run the interpreter as sysadmin:

webadmin@traceback:~$ sudo -l
Matching Defaults entries for webadmin on traceback:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/webadmin/luvit

We just need to call /bin/bash to get a shell as sysadmin

Privesc from sysadmin to root

Again, let’s dump our SSH key so we can get a real shell.

We can now read the flag:

$ cat user.txt
c2434970[...]

Using pspy, I can see that the /bin/sh /etc/update-motd.d/80-esm script gets executed by root every time someone logs in.

There’s a script that runs every 30 seconds to restore the original copies of files in /etc/update-motd.d/ so it’s obvious that this is the way in for this box.

All the files are writable by sysadmin so it’s game over at this point.

We just need to change the 80-esm file to something like this and it’ll make bash suid so we can get root: